I need a little help. I tried to run a virus scan with my Avast a few days ago and when it was doing it’s memory test it found a Win32: Alureon-CE [Rtk] and in the type it said Rootkit. I’m not necessarily educated on this kind of thing, so I googled it and in the process of trying to find some help it would redirect me to other ad sites. So, I have to copy the links to get to the direct link.
Well, another bummer is when I tried to move the virus to the chest it told me something along the lines of “Maximum number of secrets have been exceeded” and now I have no clue what that means.
Then, I try to use my trusty Malwarebytes and it finds the virus and asks me to remove them, and I do. I go through the whole boot process and when I’m finally all started up, I still have the same problems.
Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)
Also, what happened with the boot time scanning? Didn’t avast detect it? Or just you can’t send it to Chest?
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
When you get the situation resolved you’re using Windows SP2 that has several security vulnerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.
Manual cleansing instructions to check after fully following up essexboys’ intructions,
see attached txt file.
How Did My PC Get Infected with TDSServ?
The following are the most likely reasons why your computer got infected with TDSServ:
Your operating system and Web browser’s security settings are too lax.
You are not following safe Internet surfing and PC practices.
Downloading and Installing Freeware or Shareware
Small-charge or free software applications may come bundled with spyware, adware, or programs like TDSServ. Sometimes adware is attached to free software to enable the developers to cover the overhead involved in created the software. Spyware frequently piggybacks on free software into your computer to damage it and steal valuable private information.
Using Peer-to-Peer Software
The use of peer-to-peer (P2P) programs or other applications using a shared network exposes your system to the risk of unwittingly downloading infected files, including malicious programs like TDSServ.
Visiting Questionable Web Sites
When you visit sites with dubious or objectionable content, trojans-including TDSServ-, spyware, and adware, may well be automatically downloaded and installed onto your computer,
If some files cannot be deleted this should be done at bootup through the use of for instance avenger.
You will be guided through this process in the malware cleansing routine…
The rootkit can disable ComboFix as ComboFix. Did you rename ComboFix to winlogon as you downloaded it? This mighty important else the virus will NOT let you run ComboFix, so the renaming is to circumvent the disabling of ComboFix. Capito?
[list][list][list]I was afraid of that. I will need you to run two programmes now. The first should give me the name of the main driver and the second the associated file
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
[]Click on the Log tab.
[] In the Write to log box select all items.
[] Click on the Create Log button on the bottom right.
[] After a few seconds a new Window should appear.
[] Make sure Scan all drives is selected and click on the Start button.
[] When it is complete a new Window will appear to indicate that the scan is finished.
[*] The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window: http://rathat.geekstogo.com/images/AVZupdate.jpg
[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
[*] Start AVZ.
[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Analysis” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
[*] Note: When you run the script, your PC will be restarted
[*] Click Run
[*] Restart your PC if it doesn't do it automatically.
ON COMPLETION
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
OK AVZ failed so lets try a different route youfruitloop - Thunderskins please start a new thread as this could get confusing otherwise
Please downloadThe Avenger2 by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
geyekrkcdjbpfa
Files to delete:
C:\WINDOWS\system32\drivers\xydgc.sys
C:\WINDOWS\Temp\geyekrevspquepmq.tmp
C:\WINDOWS\Temp\geyekrdieexornsd.tmp
C:\WINDOWS\system32\geyekrwhvnivpq.dat
C:\WINDOWS\system32\geyekrqcqouigs.dll
C:\WINDOWS\system32\geyekrlaixwbrf.dll
C:\WINDOWS\system32\geyekriororskq.dat
C:\WINDOWS\system32\geyekrqcqouigs.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply [/b].
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver “geyekrkcdjbpfa” deleted successfully.
Error: file “C:\WINDOWS\system32\drivers\xydgc.sys” not found!
Deletion of file “C:\WINDOWS\system32\drivers\xydgc.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist
Error: file “C:\WINDOWS\Temp\geyekrevspquepmq.tmp” not found!
Deletion of file “C:\WINDOWS\Temp\geyekrevspquepmq.tmp” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist
Error: file “C:\WINDOWS\Temp\geyekrdieexornsd.tmp” not found!
Deletion of file “C:\WINDOWS\Temp\geyekrdieexornsd.tmp” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist
Error: could not delete file “C:\WINDOWS\system32\geyekrwhvnivpq.dat”
Deletion of file “C:\WINDOWS\system32\geyekrwhvnivpq.dat” failed!
Status: 0xc0000156
Error: could not delete file “C:\WINDOWS\system32\geyekrqcqouigs.dll”
Deletion of file “C:\WINDOWS\system32\geyekrqcqouigs.dll” failed!
Status: 0xc0000156
Error: could not delete file “C:\WINDOWS\system32\geyekrlaixwbrf.dll”
Deletion of file “C:\WINDOWS\system32\geyekrlaixwbrf.dll” failed!
Status: 0xc0000156
Error: file “C:\WINDOWS\system32\geyekriororskq.dat” not found!
Deletion of file “C:\WINDOWS\system32\geyekriororskq.dat” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist
Error: could not delete file “C:\WINDOWS\system32\geyekrqcqouigs.dll”
Deletion of file “C:\WINDOWS\system32\geyekrqcqouigs.dll” failed!
Status: 0xc0000156
